Hello Proxmox community and developers,
I'm new here! Very excited about proxmox!
I'm the IT and information security manager for a small-mid business (~80 people, expect to double that over the next 5-8 years). Need to spin up a cluster to host services and security systems as we work towards new security goals. Been simulating a proxmox cluster w/ceph in a virtual environment and think it is a good fit for our needs based on impressions thus far. Looking forward to our build-out. I intend to buy basic support or contribute donations to all of the open source projects we intend to take advantage of for this system.
Will start with 3 nodes this fall to get our feet wet on real hardware (learn how to break it, fix it, recover it etc), expand to 5-6 node next year when we're ready to bring user computers into the new domain environment and begin migrating data from cloud to on-prem.
Anticipated Workloads:
WinServer 2019 (instance1): Domain Controller (Internal TrustedLAN DNS/DHCP/GP/AD), RADIUS server
WinServer 2019 (instance2): File Server
Win10Pro: Video Surveillance System w/~16 cams. Untrusted network Wifi controller, temporary print server "back door" to trusted network.
Pfsense: OpenVPN (full gateway redirect, full tunnel tap for all remote and local users), RADIUS client, IPS, pfBlocker, UntrustedLAN DHCP, etc.
Security Onion: full packet capture, NIDS, DLP, Log aggregation for server systems.
Wazuh Server: HIDS, config compliance scans, Log aggregation for client systems.
Placeholder: (possible GIT server or something similar for our software devs?)... Will likely add more in future but not sure what that looks like yet.
I'm leaning towards single socket EPYC Rome 2U WIO servers from SuperMicro (2113S-WTRT).
Config per node: 7402P / 128-256GB RAM / 250GB NVME Boot / 500GB NVME DB WAL / Intel X700 or X500 for 10G (baseT and SFP+ ports).
"Fast" pool of 2.5" SATA SSD's (likely 2TB each, minimum 4 per node, up to ~8-12 per node is likely long term) for VM OS's, security logs, and eventual in-house file server (~2M files and growing). DB/WAL for each OSD on respective OSD's.
"Slow" pool of 3.5" SATA spinners (likely 6-12TB each, 4 per node) for packet capture, security cam footage, and creative services media archive installed in an external DAS enclosure. (R2424RM from raidmachine looks interesting) connected to JBOD/IT mode SAS controllers. DB/WAL for all "slow" OSD on a single NVME M.2 SSD per node installed on MOBO.
1 X SG350XG-24T 10G switch for Coro1/CephP/TrustedLAN (separate VLAN's)
1 X SG350XG-24T 10G switch for Coro2/CephC/OOBLAN (separate VLAN's)
Various other switches for Untrusted Building Network, IPMI, and WAN.... not important.
---------------------------
Questions:
1. Assuming each node would potentially have up to 4 X ~10TB direct attached as part of its "slow" pool, how big should the NVME DB/WAL drive be to support the 4 drives?
2. Does Proxmox work with the 10G Broadcom NIC's built-into many SuperMicro Servers?
3. Should I substitute the cephC network on the second switch with a second cephP in a LAG failover instead? (any development plans in Ceph to make CephC capable of becoming cephP automagically in the case of a cephP fail?)
4. X700 vs X500 series Intel NIC's? Newer vs older models? Best practice here for Proxmox 6?
5. Any major concerns with the plan above in terms of hardware selection/config? Overkill/Underkill? I feel like this is a good starting point for the intended use.
------------------
Thank you!
-Eric
I'm new here! Very excited about proxmox!
I'm the IT and information security manager for a small-mid business (~80 people, expect to double that over the next 5-8 years). Need to spin up a cluster to host services and security systems as we work towards new security goals. Been simulating a proxmox cluster w/ceph in a virtual environment and think it is a good fit for our needs based on impressions thus far. Looking forward to our build-out. I intend to buy basic support or contribute donations to all of the open source projects we intend to take advantage of for this system.
Will start with 3 nodes this fall to get our feet wet on real hardware (learn how to break it, fix it, recover it etc), expand to 5-6 node next year when we're ready to bring user computers into the new domain environment and begin migrating data from cloud to on-prem.
Anticipated Workloads:
WinServer 2019 (instance1): Domain Controller (Internal TrustedLAN DNS/DHCP/GP/AD), RADIUS server
WinServer 2019 (instance2): File Server
Win10Pro: Video Surveillance System w/~16 cams. Untrusted network Wifi controller, temporary print server "back door" to trusted network.
Pfsense: OpenVPN (full gateway redirect, full tunnel tap for all remote and local users), RADIUS client, IPS, pfBlocker, UntrustedLAN DHCP, etc.
Security Onion: full packet capture, NIDS, DLP, Log aggregation for server systems.
Wazuh Server: HIDS, config compliance scans, Log aggregation for client systems.
Placeholder: (possible GIT server or something similar for our software devs?)... Will likely add more in future but not sure what that looks like yet.
I'm leaning towards single socket EPYC Rome 2U WIO servers from SuperMicro (2113S-WTRT).
Config per node: 7402P / 128-256GB RAM / 250GB NVME Boot / 500GB NVME DB WAL / Intel X700 or X500 for 10G (baseT and SFP+ ports).
"Fast" pool of 2.5" SATA SSD's (likely 2TB each, minimum 4 per node, up to ~8-12 per node is likely long term) for VM OS's, security logs, and eventual in-house file server (~2M files and growing). DB/WAL for each OSD on respective OSD's.
"Slow" pool of 3.5" SATA spinners (likely 6-12TB each, 4 per node) for packet capture, security cam footage, and creative services media archive installed in an external DAS enclosure. (R2424RM from raidmachine looks interesting) connected to JBOD/IT mode SAS controllers. DB/WAL for all "slow" OSD on a single NVME M.2 SSD per node installed on MOBO.
1 X SG350XG-24T 10G switch for Coro1/CephP/TrustedLAN (separate VLAN's)
1 X SG350XG-24T 10G switch for Coro2/CephC/OOBLAN (separate VLAN's)
Various other switches for Untrusted Building Network, IPMI, and WAN.... not important.
---------------------------
Questions:
1. Assuming each node would potentially have up to 4 X ~10TB direct attached as part of its "slow" pool, how big should the NVME DB/WAL drive be to support the 4 drives?
2. Does Proxmox work with the 10G Broadcom NIC's built-into many SuperMicro Servers?
3. Should I substitute the cephC network on the second switch with a second cephP in a LAG failover instead? (any development plans in Ceph to make CephC capable of becoming cephP automagically in the case of a cephP fail?)
4. X700 vs X500 series Intel NIC's? Newer vs older models? Best practice here for Proxmox 6?
5. Any major concerns with the plan above in terms of hardware selection/config? Overkill/Underkill? I feel like this is a good starting point for the intended use.
------------------
Thank you!
-Eric
Though, I have a hunch almost any modern non-QLC 2TB drive would still be far better than putting the DB on the spinners. We're not going to have small files on the spinners anyway, so might not matter much. The spinning pool is for archive of large files.